Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Vendor Ships Unofficial Patch for IE Zero-Day Vulnerability

Slovenia-based cybersecurity research company ACROS Security last week announced the release of an unofficial micro-patch for a zero-day vulnerability in Microsoft Internet Explorer (IE) that North Korean hackers are believed to have exploited in a campaign targeting security researchers.

Slovenia-based cybersecurity research company ACROS Security last week announced the release of an unofficial micro-patch for a zero-day vulnerability in Microsoft Internet Explorer (IE) that North Korean hackers are believed to have exploited in a campaign targeting security researchers.

South Korean security vendor ENKI published a report on the IE zero-day in early February, claiming that North Korean hackers leveraged it to target its researchers with malicious MHTML files leading to drive-by downloads of malicious payloads.

Microsoft has confirmed receiving a report on the vulnerability through an “incorrect channel,” and said that it was committed to investigate the report and deliver a patch as soon as possible.

However, a fix for this zero-day was not included in the security updates that Microsoft released last week as part of its February 2021 Patch Tuesday.

On Thursday, ACROS Security announced that an unofficial patch for the vulnerability is now available through its 0patch service.

“We have just issued the first batch of micropatches for the Internet Explorer HTML Attribute nodeValue Double Free 0day, which affects all Windows workstations and servers from (at least) Windows 7 and Server 2008 R2 to the very latest supported versions, even if fully updated,” the company announced.

The company said that for the release of this patch it worked together with ENKI, which shared their proof-of-concept to help with the development of a fix.

“The vulnerability is a double free, triggered by making Internet Explorer clear an HTML Attribute value twice,” ACROS Security revealed.

Advertisement. Scroll to continue reading.

The exploit that ENKI discovered leads to the execution of arbitrary code inside Internet Explorer when the user visits a malicious website, and does not require additional user interaction.

IE’s usage is low, but the browser is still present on Windows computers and is set as the default application for opening MHT/MHTML files. Furthermore, the browser is used internally within a large number of organizations and can execute HTML content inside Windows applications, ACROS notes.

To address the bug, the unofficial patch no longer allows for “an HTML Attribute value (normally a string) to be an object.” With only 5 or 6 CPU instructions, the patch should fully prevent exploitation, ACROS Security says.

The first batch of patches is being delivered to Windows (32bit and 64bit) systems that run the January 2021 Patch Tuesday updates (Windows 7 + ESU, Windows 10, Server 2008 R2 + ESU, Server 2016, 2019) and to those last updated on January 2020 (namely Windows 7 and Server 2008 R2 without ESU).

A second batch of patches is set to arrive on systems that have the February 2021 set of official security updates installed.

Related: Google Warns of North Korean Gov Hackers Targeting Security Researchers

Related: Unofficial Patch Released for Windows 7 Zero-Day Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.